FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_prot.c
1 /*
2 * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
9 * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 4. Neither the name of the University nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
36 */
37
38 /*
39 * System calls related to processes and protection
40 */
41
42 #include <sys/cdefs.h>
43 __FBSDID("$FreeBSD: releng/5.3/sys/kern/kern_prot.c 136588 2004-10-16 08:43:07Z cvs2svn $");
44
45 #include "opt_compat.h"
46 #include "opt_mac.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/acct.h>
51 #include <sys/kdb.h>
52 #include <sys/kernel.h>
53 #include <sys/lock.h>
54 #include <sys/mac.h>
55 #include <sys/malloc.h>
56 #include <sys/mutex.h>
57 #include <sys/sx.h>
58 #include <sys/proc.h>
59 #include <sys/sysproto.h>
60 #include <sys/jail.h>
61 #include <sys/pioctl.h>
62 #include <sys/resourcevar.h>
63 #include <sys/socket.h>
64 #include <sys/socketvar.h>
65 #include <sys/sysctl.h>
66
67 static MALLOC_DEFINE(M_CRED, "cred", "credentials");
68
69 SYSCTL_DECL(_security);
70 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
71 "BSD security policy");
72
73 #ifndef _SYS_SYSPROTO_H_
74 struct getpid_args {
75 int dummy;
76 };
77 #endif
78 /*
79 * MPSAFE
80 */
81 /* ARGSUSED */
82 int
83 getpid(struct thread *td, struct getpid_args *uap)
84 {
85 struct proc *p = td->td_proc;
86
87 td->td_retval[0] = p->p_pid;
88 #if defined(COMPAT_43)
89 PROC_LOCK(p);
90 td->td_retval[1] = p->p_pptr->p_pid;
91 PROC_UNLOCK(p);
92 #endif
93 return (0);
94 }
95
96 #ifndef _SYS_SYSPROTO_H_
97 struct getppid_args {
98 int dummy;
99 };
100 #endif
101 /*
102 * MPSAFE
103 */
104 /* ARGSUSED */
105 int
106 getppid(struct thread *td, struct getppid_args *uap)
107 {
108 struct proc *p = td->td_proc;
109
110 PROC_LOCK(p);
111 td->td_retval[0] = p->p_pptr->p_pid;
112 PROC_UNLOCK(p);
113 return (0);
114 }
115
116 /*
117 * Get process group ID; note that POSIX getpgrp takes no parameter.
118 */
119 #ifndef _SYS_SYSPROTO_H_
120 struct getpgrp_args {
121 int dummy;
122 };
123 #endif
124 /*
125 * MPSAFE
126 */
127 int
128 getpgrp(struct thread *td, struct getpgrp_args *uap)
129 {
130 struct proc *p = td->td_proc;
131
132 PROC_LOCK(p);
133 td->td_retval[0] = p->p_pgrp->pg_id;
134 PROC_UNLOCK(p);
135 return (0);
136 }
137
138 /* Get an arbitary pid's process group id */
139 #ifndef _SYS_SYSPROTO_H_
140 struct getpgid_args {
141 pid_t pid;
142 };
143 #endif
144 /*
145 * MPSAFE
146 */
147 int
148 getpgid(struct thread *td, struct getpgid_args *uap)
149 {
150 struct proc *p;
151 int error;
152
153 if (uap->pid == 0) {
154 p = td->td_proc;
155 PROC_LOCK(p);
156 } else {
157 p = pfind(uap->pid);
158 if (p == NULL)
159 return (ESRCH);
160 error = p_cansee(td, p);
161 if (error) {
162 PROC_UNLOCK(p);
163 return (error);
164 }
165 }
166 td->td_retval[0] = p->p_pgrp->pg_id;
167 PROC_UNLOCK(p);
168 return (0);
169 }
170
171 /*
172 * Get an arbitary pid's session id.
173 */
174 #ifndef _SYS_SYSPROTO_H_
175 struct getsid_args {
176 pid_t pid;
177 };
178 #endif
179 /*
180 * MPSAFE
181 */
182 int
183 getsid(struct thread *td, struct getsid_args *uap)
184 {
185 struct proc *p;
186 int error;
187
188 if (uap->pid == 0) {
189 p = td->td_proc;
190 PROC_LOCK(p);
191 } else {
192 p = pfind(uap->pid);
193 if (p == NULL)
194 return (ESRCH);
195 error = p_cansee(td, p);
196 if (error) {
197 PROC_UNLOCK(p);
198 return (error);
199 }
200 }
201 td->td_retval[0] = p->p_session->s_sid;
202 PROC_UNLOCK(p);
203 return (0);
204 }
205
206 #ifndef _SYS_SYSPROTO_H_
207 struct getuid_args {
208 int dummy;
209 };
210 #endif
211 /*
212 * MPSAFE
213 */
214 /* ARGSUSED */
215 int
216 getuid(struct thread *td, struct getuid_args *uap)
217 {
218
219 td->td_retval[0] = td->td_ucred->cr_ruid;
220 #if defined(COMPAT_43)
221 td->td_retval[1] = td->td_ucred->cr_uid;
222 #endif
223 return (0);
224 }
225
226 #ifndef _SYS_SYSPROTO_H_
227 struct geteuid_args {
228 int dummy;
229 };
230 #endif
231 /*
232 * MPSAFE
233 */
234 /* ARGSUSED */
235 int
236 geteuid(struct thread *td, struct geteuid_args *uap)
237 {
238
239 td->td_retval[0] = td->td_ucred->cr_uid;
240 return (0);
241 }
242
243 #ifndef _SYS_SYSPROTO_H_
244 struct getgid_args {
245 int dummy;
246 };
247 #endif
248 /*
249 * MPSAFE
250 */
251 /* ARGSUSED */
252 int
253 getgid(struct thread *td, struct getgid_args *uap)
254 {
255
256 td->td_retval[0] = td->td_ucred->cr_rgid;
257 #if defined(COMPAT_43)
258 td->td_retval[1] = td->td_ucred->cr_groups[0];
259 #endif
260 return (0);
261 }
262
263 /*
264 * Get effective group ID. The "egid" is groups[0], and could be obtained
265 * via getgroups. This syscall exists because it is somewhat painful to do
266 * correctly in a library function.
267 */
268 #ifndef _SYS_SYSPROTO_H_
269 struct getegid_args {
270 int dummy;
271 };
272 #endif
273 /*
274 * MPSAFE
275 */
276 /* ARGSUSED */
277 int
278 getegid(struct thread *td, struct getegid_args *uap)
279 {
280
281 td->td_retval[0] = td->td_ucred->cr_groups[0];
282 return (0);
283 }
284
285 #ifndef _SYS_SYSPROTO_H_
286 struct getgroups_args {
287 u_int gidsetsize;
288 gid_t *gidset;
289 };
290 #endif
291 /*
292 * MPSAFE
293 */
294 int
295 getgroups(struct thread *td, register struct getgroups_args *uap)
296 {
297 struct ucred *cred;
298 u_int ngrp;
299 int error;
300
301 cred = td->td_ucred;
302 if ((ngrp = uap->gidsetsize) == 0) {
303 td->td_retval[0] = cred->cr_ngroups;
304 return (0);
305 }
306 if (ngrp < cred->cr_ngroups)
307 return (EINVAL);
308 ngrp = cred->cr_ngroups;
309 error = copyout(cred->cr_groups, uap->gidset, ngrp * sizeof(gid_t));
310 if (error == 0)
311 td->td_retval[0] = ngrp;
312 return (error);
313 }
314
315 #ifndef _SYS_SYSPROTO_H_
316 struct setsid_args {
317 int dummy;
318 };
319 #endif
320 /*
321 * MPSAFE
322 */
323 /* ARGSUSED */
324 int
325 setsid(register struct thread *td, struct setsid_args *uap)
326 {
327 struct pgrp *pgrp;
328 int error;
329 struct proc *p = td->td_proc;
330 struct pgrp *newpgrp;
331 struct session *newsess;
332
333 error = 0;
334 pgrp = NULL;
335
336 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
337 MALLOC(newsess, struct session *, sizeof(struct session), M_SESSION, M_WAITOK | M_ZERO);
338
339 sx_xlock(&proctree_lock);
340
341 if (p->p_pgid == p->p_pid || (pgrp = pgfind(p->p_pid)) != NULL) {
342 if (pgrp != NULL)
343 PGRP_UNLOCK(pgrp);
344 error = EPERM;
345 } else {
346 (void)enterpgrp(p, p->p_pid, newpgrp, newsess);
347 td->td_retval[0] = p->p_pid;
348 newpgrp = NULL;
349 newsess = NULL;
350 }
351
352 sx_xunlock(&proctree_lock);
353
354 if (newpgrp != NULL)
355 FREE(newpgrp, M_PGRP);
356 if (newsess != NULL)
357 FREE(newsess, M_SESSION);
358
359 return (error);
360 }
361
362 /*
363 * set process group (setpgid/old setpgrp)
364 *
365 * caller does setpgid(targpid, targpgid)
366 *
367 * pid must be caller or child of caller (ESRCH)
368 * if a child
369 * pid must be in same session (EPERM)
370 * pid can't have done an exec (EACCES)
371 * if pgid != pid
372 * there must exist some pid in same session having pgid (EPERM)
373 * pid must not be session leader (EPERM)
374 */
375 #ifndef _SYS_SYSPROTO_H_
376 struct setpgid_args {
377 int pid; /* target process id */
378 int pgid; /* target pgrp id */
379 };
380 #endif
381 /*
382 * MPSAFE
383 */
384 /* ARGSUSED */
385 int
386 setpgid(struct thread *td, register struct setpgid_args *uap)
387 {
388 struct proc *curp = td->td_proc;
389 register struct proc *targp; /* target process */
390 register struct pgrp *pgrp; /* target pgrp */
391 int error;
392 struct pgrp *newpgrp;
393
394 if (uap->pgid < 0)
395 return (EINVAL);
396
397 error = 0;
398
399 MALLOC(newpgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP, M_WAITOK | M_ZERO);
400
401 sx_xlock(&proctree_lock);
402 if (uap->pid != 0 && uap->pid != curp->p_pid) {
403 if ((targp = pfind(uap->pid)) == NULL) {
404 error = ESRCH;
405 goto done;
406 }
407 if (!inferior(targp)) {
408 PROC_UNLOCK(targp);
409 error = ESRCH;
410 goto done;
411 }
412 if ((error = p_cansee(td, targp))) {
413 PROC_UNLOCK(targp);
414 goto done;
415 }
416 if (targp->p_pgrp == NULL ||
417 targp->p_session != curp->p_session) {
418 PROC_UNLOCK(targp);
419 error = EPERM;
420 goto done;
421 }
422 if (targp->p_flag & P_EXEC) {
423 PROC_UNLOCK(targp);
424 error = EACCES;
425 goto done;
426 }
427 PROC_UNLOCK(targp);
428 } else
429 targp = curp;
430 if (SESS_LEADER(targp)) {
431 error = EPERM;
432 goto done;
433 }
434 if (uap->pgid == 0)
435 uap->pgid = targp->p_pid;
436 if ((pgrp = pgfind(uap->pgid)) == NULL) {
437 if (uap->pgid == targp->p_pid) {
438 error = enterpgrp(targp, uap->pgid, newpgrp,
439 NULL);
440 if (error == 0)
441 newpgrp = NULL;
442 } else
443 error = EPERM;
444 } else {
445 if (pgrp == targp->p_pgrp) {
446 PGRP_UNLOCK(pgrp);
447 goto done;
448 }
449 if (pgrp->pg_id != targp->p_pid &&
450 pgrp->pg_session != curp->p_session) {
451 PGRP_UNLOCK(pgrp);
452 error = EPERM;
453 goto done;
454 }
455 PGRP_UNLOCK(pgrp);
456 error = enterthispgrp(targp, pgrp);
457 }
458 done:
459 sx_xunlock(&proctree_lock);
460 KASSERT((error == 0) || (newpgrp != NULL),
461 ("setpgid failed and newpgrp is NULL"));
462 if (newpgrp != NULL)
463 FREE(newpgrp, M_PGRP);
464 return (error);
465 }
466
467 /*
468 * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD
469 * compatible. It says that setting the uid/gid to euid/egid is a special
470 * case of "appropriate privilege". Once the rules are expanded out, this
471 * basically means that setuid(nnn) sets all three id's, in all permitted
472 * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid())
473 * does not set the saved id - this is dangerous for traditional BSD
474 * programs. For this reason, we *really* do not want to set
475 * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2.
476 */
477 #define POSIX_APPENDIX_B_4_2_2
478
479 #ifndef _SYS_SYSPROTO_H_
480 struct setuid_args {
481 uid_t uid;
482 };
483 #endif
484 /*
485 * MPSAFE
486 */
487 /* ARGSUSED */
488 int
489 setuid(struct thread *td, struct setuid_args *uap)
490 {
491 struct proc *p = td->td_proc;
492 struct ucred *newcred, *oldcred;
493 uid_t uid;
494 struct uidinfo *uip;
495 int error;
496
497 uid = uap->uid;
498 newcred = crget();
499 uip = uifind(uid);
500 PROC_LOCK(p);
501 oldcred = p->p_ucred;
502
503 /*
504 * See if we have "permission" by POSIX 1003.1 rules.
505 *
506 * Note that setuid(geteuid()) is a special case of
507 * "appropriate privileges" in appendix B.4.2.2. We need
508 * to use this clause to be compatible with traditional BSD
509 * semantics. Basically, it means that "setuid(xx)" sets all
510 * three id's (assuming you have privs).
511 *
512 * Notes on the logic. We do things in three steps.
513 * 1: We determine if the euid is going to change, and do EPERM
514 * right away. We unconditionally change the euid later if this
515 * test is satisfied, simplifying that part of the logic.
516 * 2: We determine if the real and/or saved uids are going to
517 * change. Determined by compile options.
518 * 3: Change euid last. (after tests in #2 for "appropriate privs")
519 */
520 if (uid != oldcred->cr_ruid && /* allow setuid(getuid()) */
521 #ifdef _POSIX_SAVED_IDS
522 uid != oldcred->cr_svuid && /* allow setuid(saved gid) */
523 #endif
524 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
525 uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
526 #endif
527 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
528 PROC_UNLOCK(p);
529 uifree(uip);
530 crfree(newcred);
531 return (error);
532 }
533
534 /*
535 * Copy credentials so other references do not see our changes.
536 */
537 crcopy(newcred, oldcred);
538 #ifdef _POSIX_SAVED_IDS
539 /*
540 * Do we have "appropriate privileges" (are we root or uid == euid)
541 * If so, we are changing the real uid and/or saved uid.
542 */
543 if (
544 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
545 uid == oldcred->cr_uid ||
546 #endif
547 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
548 #endif
549 {
550 /*
551 * Set the real uid and transfer proc count to new user.
552 */
553 if (uid != oldcred->cr_ruid) {
554 change_ruid(newcred, uip);
555 setsugid(p);
556 }
557 /*
558 * Set saved uid
559 *
560 * XXX always set saved uid even if not _POSIX_SAVED_IDS, as
561 * the security of seteuid() depends on it. B.4.2.2 says it
562 * is important that we should do this.
563 */
564 if (uid != oldcred->cr_svuid) {
565 change_svuid(newcred, uid);
566 setsugid(p);
567 }
568 }
569
570 /*
571 * In all permitted cases, we are changing the euid.
572 */
573 if (uid != oldcred->cr_uid) {
574 change_euid(newcred, uip);
575 setsugid(p);
576 }
577 p->p_ucred = newcred;
578 PROC_UNLOCK(p);
579 uifree(uip);
580 crfree(oldcred);
581 return (0);
582 }
583
584 #ifndef _SYS_SYSPROTO_H_
585 struct seteuid_args {
586 uid_t euid;
587 };
588 #endif
589 /*
590 * MPSAFE
591 */
592 /* ARGSUSED */
593 int
594 seteuid(struct thread *td, struct seteuid_args *uap)
595 {
596 struct proc *p = td->td_proc;
597 struct ucred *newcred, *oldcred;
598 uid_t euid;
599 struct uidinfo *euip;
600 int error;
601
602 euid = uap->euid;
603 newcred = crget();
604 euip = uifind(euid);
605 PROC_LOCK(p);
606 oldcred = p->p_ucred;
607 if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
608 euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
609 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
610 PROC_UNLOCK(p);
611 uifree(euip);
612 crfree(newcred);
613 return (error);
614 }
615 /*
616 * Everything's okay, do it. Copy credentials so other references do
617 * not see our changes.
618 */
619 crcopy(newcred, oldcred);
620 if (oldcred->cr_uid != euid) {
621 change_euid(newcred, euip);
622 setsugid(p);
623 }
624 p->p_ucred = newcred;
625 PROC_UNLOCK(p);
626 uifree(euip);
627 crfree(oldcred);
628 return (0);
629 }
630
631 #ifndef _SYS_SYSPROTO_H_
632 struct setgid_args {
633 gid_t gid;
634 };
635 #endif
636 /*
637 * MPSAFE
638 */
639 /* ARGSUSED */
640 int
641 setgid(struct thread *td, struct setgid_args *uap)
642 {
643 struct proc *p = td->td_proc;
644 struct ucred *newcred, *oldcred;
645 gid_t gid;
646 int error;
647
648 gid = uap->gid;
649 newcred = crget();
650 PROC_LOCK(p);
651 oldcred = p->p_ucred;
652
653 /*
654 * See if we have "permission" by POSIX 1003.1 rules.
655 *
656 * Note that setgid(getegid()) is a special case of
657 * "appropriate privileges" in appendix B.4.2.2. We need
658 * to use this clause to be compatible with traditional BSD
659 * semantics. Basically, it means that "setgid(xx)" sets all
660 * three id's (assuming you have privs).
661 *
662 * For notes on the logic here, see setuid() above.
663 */
664 if (gid != oldcred->cr_rgid && /* allow setgid(getgid()) */
665 #ifdef _POSIX_SAVED_IDS
666 gid != oldcred->cr_svgid && /* allow setgid(saved gid) */
667 #endif
668 #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
669 gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
670 #endif
671 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
672 PROC_UNLOCK(p);
673 crfree(newcred);
674 return (error);
675 }
676
677 crcopy(newcred, oldcred);
678 #ifdef _POSIX_SAVED_IDS
679 /*
680 * Do we have "appropriate privileges" (are we root or gid == egid)
681 * If so, we are changing the real uid and saved gid.
682 */
683 if (
684 #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
685 gid == oldcred->cr_groups[0] ||
686 #endif
687 suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */
688 #endif
689 {
690 /*
691 * Set real gid
692 */
693 if (oldcred->cr_rgid != gid) {
694 change_rgid(newcred, gid);
695 setsugid(p);
696 }
697 /*
698 * Set saved gid
699 *
700 * XXX always set saved gid even if not _POSIX_SAVED_IDS, as
701 * the security of setegid() depends on it. B.4.2.2 says it
702 * is important that we should do this.
703 */
704 if (oldcred->cr_svgid != gid) {
705 change_svgid(newcred, gid);
706 setsugid(p);
707 }
708 }
709 /*
710 * In all cases permitted cases, we are changing the egid.
711 * Copy credentials so other references do not see our changes.
712 */
713 if (oldcred->cr_groups[0] != gid) {
714 change_egid(newcred, gid);
715 setsugid(p);
716 }
717 p->p_ucred = newcred;
718 PROC_UNLOCK(p);
719 crfree(oldcred);
720 return (0);
721 }
722
723 #ifndef _SYS_SYSPROTO_H_
724 struct setegid_args {
725 gid_t egid;
726 };
727 #endif
728 /*
729 * MPSAFE
730 */
731 /* ARGSUSED */
732 int
733 setegid(struct thread *td, struct setegid_args *uap)
734 {
735 struct proc *p = td->td_proc;
736 struct ucred *newcred, *oldcred;
737 gid_t egid;
738 int error;
739
740 egid = uap->egid;
741 newcred = crget();
742 PROC_LOCK(p);
743 oldcred = p->p_ucred;
744 if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
745 egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
746 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
747 PROC_UNLOCK(p);
748 crfree(newcred);
749 return (error);
750 }
751 crcopy(newcred, oldcred);
752 if (oldcred->cr_groups[0] != egid) {
753 change_egid(newcred, egid);
754 setsugid(p);
755 }
756 p->p_ucred = newcred;
757 PROC_UNLOCK(p);
758 crfree(oldcred);
759 return (0);
760 }
761
762 #ifndef _SYS_SYSPROTO_H_
763 struct setgroups_args {
764 u_int gidsetsize;
765 gid_t *gidset;
766 };
767 #endif
768 /*
769 * MPSAFE
770 */
771 /* ARGSUSED */
772 int
773 setgroups(struct thread *td, struct setgroups_args *uap)
774 {
775 struct proc *p = td->td_proc;
776 struct ucred *newcred, *tempcred, *oldcred;
777 u_int ngrp;
778 int error;
779
780 ngrp = uap->gidsetsize;
781 if (ngrp > NGROUPS)
782 return (EINVAL);
783 tempcred = crget();
784 error = copyin(uap->gidset, tempcred->cr_groups, ngrp * sizeof(gid_t));
785 if (error != 0) {
786 crfree(tempcred);
787 return (error);
788 }
789 newcred = crget();
790 PROC_LOCK(p);
791 oldcred = p->p_ucred;
792 error = suser_cred(oldcred, SUSER_ALLOWJAIL);
793 if (error) {
794 PROC_UNLOCK(p);
795 crfree(newcred);
796 crfree(tempcred);
797 return (error);
798 }
799
800 /*
801 * XXX A little bit lazy here. We could test if anything has
802 * changed before crcopy() and setting P_SUGID.
803 */
804 crcopy(newcred, oldcred);
805 if (ngrp < 1) {
806 /*
807 * setgroups(0, NULL) is a legitimate way of clearing the
808 * groups vector on non-BSD systems (which generally do not
809 * have the egid in the groups[0]). We risk security holes
810 * when running non-BSD software if we do not do the same.
811 */
812 newcred->cr_ngroups = 1;
813 } else {
814 bcopy(tempcred->cr_groups, newcred->cr_groups,
815 ngrp * sizeof(gid_t));
816 newcred->cr_ngroups = ngrp;
817 }
818 setsugid(p);
819 p->p_ucred = newcred;
820 PROC_UNLOCK(p);
821 crfree(tempcred);
822 crfree(oldcred);
823 return (0);
824 }
825
826 #ifndef _SYS_SYSPROTO_H_
827 struct setreuid_args {
828 uid_t ruid;
829 uid_t euid;
830 };
831 #endif
832 /*
833 * MPSAFE
834 */
835 /* ARGSUSED */
836 int
837 setreuid(register struct thread *td, struct setreuid_args *uap)
838 {
839 struct proc *p = td->td_proc;
840 struct ucred *newcred, *oldcred;
841 uid_t euid, ruid;
842 struct uidinfo *euip, *ruip;
843 int error;
844
845 euid = uap->euid;
846 ruid = uap->ruid;
847 newcred = crget();
848 euip = uifind(euid);
849 ruip = uifind(ruid);
850 PROC_LOCK(p);
851 oldcred = p->p_ucred;
852 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
853 ruid != oldcred->cr_svuid) ||
854 (euid != (uid_t)-1 && euid != oldcred->cr_uid &&
855 euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
856 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
857 PROC_UNLOCK(p);
858 uifree(ruip);
859 uifree(euip);
860 crfree(newcred);
861 return (error);
862 }
863 crcopy(newcred, oldcred);
864 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
865 change_euid(newcred, euip);
866 setsugid(p);
867 }
868 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
869 change_ruid(newcred, ruip);
870 setsugid(p);
871 }
872 if ((ruid != (uid_t)-1 || newcred->cr_uid != newcred->cr_ruid) &&
873 newcred->cr_svuid != newcred->cr_uid) {
874 change_svuid(newcred, newcred->cr_uid);
875 setsugid(p);
876 }
877 p->p_ucred = newcred;
878 PROC_UNLOCK(p);
879 uifree(ruip);
880 uifree(euip);
881 crfree(oldcred);
882 return (0);
883 }
884
885 #ifndef _SYS_SYSPROTO_H_
886 struct setregid_args {
887 gid_t rgid;
888 gid_t egid;
889 };
890 #endif
891 /*
892 * MPSAFE
893 */
894 /* ARGSUSED */
895 int
896 setregid(register struct thread *td, struct setregid_args *uap)
897 {
898 struct proc *p = td->td_proc;
899 struct ucred *newcred, *oldcred;
900 gid_t egid, rgid;
901 int error;
902
903 egid = uap->egid;
904 rgid = uap->rgid;
905 newcred = crget();
906 PROC_LOCK(p);
907 oldcred = p->p_ucred;
908 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
909 rgid != oldcred->cr_svgid) ||
910 (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
911 egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
912 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
913 PROC_UNLOCK(p);
914 crfree(newcred);
915 return (error);
916 }
917
918 crcopy(newcred, oldcred);
919 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
920 change_egid(newcred, egid);
921 setsugid(p);
922 }
923 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
924 change_rgid(newcred, rgid);
925 setsugid(p);
926 }
927 if ((rgid != (gid_t)-1 || newcred->cr_groups[0] != newcred->cr_rgid) &&
928 newcred->cr_svgid != newcred->cr_groups[0]) {
929 change_svgid(newcred, newcred->cr_groups[0]);
930 setsugid(p);
931 }
932 p->p_ucred = newcred;
933 PROC_UNLOCK(p);
934 crfree(oldcred);
935 return (0);
936 }
937
938 /*
939 * setresuid(ruid, euid, suid) is like setreuid except control over the
940 * saved uid is explicit.
941 */
942
943 #ifndef _SYS_SYSPROTO_H_
944 struct setresuid_args {
945 uid_t ruid;
946 uid_t euid;
947 uid_t suid;
948 };
949 #endif
950 /*
951 * MPSAFE
952 */
953 /* ARGSUSED */
954 int
955 setresuid(register struct thread *td, struct setresuid_args *uap)
956 {
957 struct proc *p = td->td_proc;
958 struct ucred *newcred, *oldcred;
959 uid_t euid, ruid, suid;
960 struct uidinfo *euip, *ruip;
961 int error;
962
963 euid = uap->euid;
964 ruid = uap->ruid;
965 suid = uap->suid;
966 newcred = crget();
967 euip = uifind(euid);
968 ruip = uifind(ruid);
969 PROC_LOCK(p);
970 oldcred = p->p_ucred;
971 if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
972 ruid != oldcred->cr_svuid &&
973 ruid != oldcred->cr_uid) ||
974 (euid != (uid_t)-1 && euid != oldcred->cr_ruid &&
975 euid != oldcred->cr_svuid &&
976 euid != oldcred->cr_uid) ||
977 (suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
978 suid != oldcred->cr_svuid &&
979 suid != oldcred->cr_uid)) &&
980 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
981 PROC_UNLOCK(p);
982 uifree(ruip);
983 uifree(euip);
984 crfree(newcred);
985 return (error);
986 }
987
988 crcopy(newcred, oldcred);
989 if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
990 change_euid(newcred, euip);
991 setsugid(p);
992 }
993 if (ruid != (uid_t)-1 && oldcred->cr_ruid != ruid) {
994 change_ruid(newcred, ruip);
995 setsugid(p);
996 }
997 if (suid != (uid_t)-1 && oldcred->cr_svuid != suid) {
998 change_svuid(newcred, suid);
999 setsugid(p);
1000 }
1001 p->p_ucred = newcred;
1002 PROC_UNLOCK(p);
1003 uifree(ruip);
1004 uifree(euip);
1005 crfree(oldcred);
1006 return (0);
1007 }
1008
1009 /*
1010 * setresgid(rgid, egid, sgid) is like setregid except control over the
1011 * saved gid is explicit.
1012 */
1013
1014 #ifndef _SYS_SYSPROTO_H_
1015 struct setresgid_args {
1016 gid_t rgid;
1017 gid_t egid;
1018 gid_t sgid;
1019 };
1020 #endif
1021 /*
1022 * MPSAFE
1023 */
1024 /* ARGSUSED */
1025 int
1026 setresgid(register struct thread *td, struct setresgid_args *uap)
1027 {
1028 struct proc *p = td->td_proc;
1029 struct ucred *newcred, *oldcred;
1030 gid_t egid, rgid, sgid;
1031 int error;
1032
1033 egid = uap->egid;
1034 rgid = uap->rgid;
1035 sgid = uap->sgid;
1036 newcred = crget();
1037 PROC_LOCK(p);
1038 oldcred = p->p_ucred;
1039 if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
1040 rgid != oldcred->cr_svgid &&
1041 rgid != oldcred->cr_groups[0]) ||
1042 (egid != (gid_t)-1 && egid != oldcred->cr_rgid &&
1043 egid != oldcred->cr_svgid &&
1044 egid != oldcred->cr_groups[0]) ||
1045 (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
1046 sgid != oldcred->cr_svgid &&
1047 sgid != oldcred->cr_groups[0])) &&
1048 (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
1049 PROC_UNLOCK(p);
1050 crfree(newcred);
1051 return (error);
1052 }
1053
1054 crcopy(newcred, oldcred);
1055 if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
1056 change_egid(newcred, egid);
1057 setsugid(p);
1058 }
1059 if (rgid != (gid_t)-1 && oldcred->cr_rgid != rgid) {
1060 change_rgid(newcred, rgid);
1061 setsugid(p);
1062 }
1063 if (sgid != (gid_t)-1 && oldcred->cr_svgid != sgid) {
1064 change_svgid(newcred, sgid);
1065 setsugid(p);
1066 }
1067 p->p_ucred = newcred;
1068 PROC_UNLOCK(p);
1069 crfree(oldcred);
1070 return (0);
1071 }
1072
1073 #ifndef _SYS_SYSPROTO_H_
1074 struct getresuid_args {
1075 uid_t *ruid;
1076 uid_t *euid;
1077 uid_t *suid;
1078 };
1079 #endif
1080 /*
1081 * MPSAFE
1082 */
1083 /* ARGSUSED */
1084 int
1085 getresuid(register struct thread *td, struct getresuid_args *uap)
1086 {
1087 struct ucred *cred;
1088 int error1 = 0, error2 = 0, error3 = 0;
1089
1090 cred = td->td_ucred;
1091 if (uap->ruid)
1092 error1 = copyout(&cred->cr_ruid,
1093 uap->ruid, sizeof(cred->cr_ruid));
1094 if (uap->euid)
1095 error2 = copyout(&cred->cr_uid,
1096 uap->euid, sizeof(cred->cr_uid));
1097 if (uap->suid)
1098 error3 = copyout(&cred->cr_svuid,
1099 uap->suid, sizeof(cred->cr_svuid));
1100 return (error1 ? error1 : error2 ? error2 : error3);
1101 }
1102
1103 #ifndef _SYS_SYSPROTO_H_
1104 struct getresgid_args {
1105 gid_t *rgid;
1106 gid_t *egid;
1107 gid_t *sgid;
1108 };
1109 #endif
1110 /*
1111 * MPSAFE
1112 */
1113 /* ARGSUSED */
1114 int
1115 getresgid(register struct thread *td, struct getresgid_args *uap)
1116 {
1117 struct ucred *cred;
1118 int error1 = 0, error2 = 0, error3 = 0;
1119
1120 cred = td->td_ucred;
1121 if (uap->rgid)
1122 error1 = copyout(&cred->cr_rgid,
1123 uap->rgid, sizeof(cred->cr_rgid));
1124 if (uap->egid)
1125 error2 = copyout(&cred->cr_groups[0],
1126 uap->egid, sizeof(cred->cr_groups[0]));
1127 if (uap->sgid)
1128 error3 = copyout(&cred->cr_svgid,
1129 uap->sgid, sizeof(cred->cr_svgid));
1130 return (error1 ? error1 : error2 ? error2 : error3);
1131 }
1132
1133 #ifndef _SYS_SYSPROTO_H_
1134 struct issetugid_args {
1135 int dummy;
1136 };
1137 #endif
1138 /*
1139 * MPSAFE
1140 */
1141 /* ARGSUSED */
1142 int
1143 issetugid(register struct thread *td, struct issetugid_args *uap)
1144 {
1145 struct proc *p = td->td_proc;
1146
1147 /*
1148 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
1149 * we use P_SUGID because we consider changing the owners as
1150 * "tainting" as well.
1151 * This is significant for procs that start as root and "become"
1152 * a user without an exec - programs cannot know *everything*
1153 * that libc *might* have put in their data segment.
1154 */
1155 PROC_LOCK(p);
1156 td->td_retval[0] = (p->p_flag & P_SUGID) ? 1 : 0;
1157 PROC_UNLOCK(p);
1158 return (0);
1159 }
1160
1161 /*
1162 * MPSAFE
1163 */
1164 int
1165 __setugid(struct thread *td, struct __setugid_args *uap)
1166 {
1167 #ifdef REGRESSION
1168 struct proc *p;
1169
1170 p = td->td_proc;
1171 switch (uap->flag) {
1172 case 0:
1173 PROC_LOCK(p);
1174 p->p_flag &= ~P_SUGID;
1175 PROC_UNLOCK(p);
1176 return (0);
1177 case 1:
1178 PROC_LOCK(p);
1179 p->p_flag |= P_SUGID;
1180 PROC_UNLOCK(p);
1181 return (0);
1182 default:
1183 return (EINVAL);
1184 }
1185 #else /* !REGRESSION */
1186
1187 return (ENOSYS);
1188 #endif /* REGRESSION */
1189 }
1190
1191 /*
1192 * Check if gid is a member of the group set.
1193 *
1194 * MPSAFE (cred must be held)
1195 */
1196 int
1197 groupmember(gid_t gid, struct ucred *cred)
1198 {
1199 register gid_t *gp;
1200 gid_t *egp;
1201
1202 egp = &(cred->cr_groups[cred->cr_ngroups]);
1203 for (gp = cred->cr_groups; gp < egp; gp++)
1204 if (*gp == gid)
1205 return (1);
1206 return (0);
1207 }
1208
1209 /*
1210 * `suser_enabled' (which can be set by the security.suser_enabled
1211 * sysctl) determines whether the system 'super-user' policy is in effect.
1212 * If it is nonzero, an effective uid of 0 connotes special privilege,
1213 * overriding many mandatory and discretionary protections. If it is zero,
1214 * uid 0 is offered no special privilege in the kernel security policy.
1215 * Setting it to zero may seriously impact the functionality of many
1216 * existing userland programs, and should not be done without careful
1217 * consideration of the consequences.
1218 */
1219 int suser_enabled = 1;
1220 SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
1221 &suser_enabled, 0, "processes with uid 0 have privilege");
1222 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
1223
1224 /*
1225 * Test whether the specified credentials imply "super-user" privilege.
1226 * Return 0 or EPERM.
1227 */
1228 int
1229 suser_cred(struct ucred *cred, int flag)
1230 {
1231
1232 if (!suser_enabled)
1233 return (EPERM);
1234 if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0)
1235 return (EPERM);
1236 if (jailed(cred) && !(flag & SUSER_ALLOWJAIL))
1237 return (EPERM);
1238 return (0);
1239 }
1240
1241 /*
1242 * Shortcut to hide contents of struct td and struct proc from the
1243 * caller, promoting binary compatibility.
1244 */
1245 int
1246 suser(struct thread *td)
1247 {
1248
1249 #ifdef INVARIANTS
1250 if (td != curthread) {
1251 printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n",
1252 td, td->td_proc->p_pid, td->td_proc->p_comm,
1253 curthread, curthread->td_proc->p_pid,
1254 curthread->td_proc->p_comm);
1255 #ifdef KDB
1256 kdb_backtrace();
1257 #endif
1258 }
1259 #endif
1260 return (suser_cred(td->td_ucred, 0));
1261 }
1262
1263 /*
1264 * Test the active securelevel against a given level. securelevel_gt()
1265 * implements (securelevel > level). securelevel_ge() implements
1266 * (securelevel >= level). Note that the logic is inverted -- these
1267 * functions return EPERM on "success" and 0 on "failure".
1268 *
1269 * MPSAFE
1270 */
1271 int
1272 securelevel_gt(struct ucred *cr, int level)
1273 {
1274 int active_securelevel;
1275
1276 active_securelevel = securelevel;
1277 KASSERT(cr != NULL, ("securelevel_gt: null cr"));
1278 if (cr->cr_prison != NULL) {
1279 mtx_lock(&cr->cr_prison->pr_mtx);
1280 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1281 active_securelevel);
1282 mtx_unlock(&cr->cr_prison->pr_mtx);
1283 }
1284 return (active_securelevel > level ? EPERM : 0);
1285 }
1286
1287 int
1288 securelevel_ge(struct ucred *cr, int level)
1289 {
1290 int active_securelevel;
1291
1292 active_securelevel = securelevel;
1293 KASSERT(cr != NULL, ("securelevel_ge: null cr"));
1294 if (cr->cr_prison != NULL) {
1295 mtx_lock(&cr->cr_prison->pr_mtx);
1296 active_securelevel = imax(cr->cr_prison->pr_securelevel,
1297 active_securelevel);
1298 mtx_unlock(&cr->cr_prison->pr_mtx);
1299 }
1300 return (active_securelevel >= level ? EPERM : 0);
1301 }
1302
1303 /*
1304 * 'see_other_uids' determines whether or not visibility of processes
1305 * and sockets with credentials holding different real uids is possible
1306 * using a variety of system MIBs.
1307 * XXX: data declarations should be together near the beginning of the file.
1308 */
1309 static int see_other_uids = 1;
1310 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
1311 &see_other_uids, 0,
1312 "Unprivileged processes may see subjects/objects with different real uid");
1313
1314 /*-
1315 * Determine if u1 "can see" the subject specified by u2, according to the
1316 * 'see_other_uids' policy.
1317 * Returns: 0 for permitted, ESRCH otherwise
1318 * Locks: none
1319 * References: *u1 and *u2 must not change during the call
1320 * u1 may equal u2, in which case only one reference is required
1321 */
1322 static int
1323 cr_seeotheruids(struct ucred *u1, struct ucred *u2)
1324 {
1325
1326 if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) {
1327 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
1328 return (ESRCH);
1329 }
1330 return (0);
1331 }
1332
1333 /*
1334 * 'see_other_gids' determines whether or not visibility of processes
1335 * and sockets with credentials holding different real gids is possible
1336 * using a variety of system MIBs.
1337 * XXX: data declarations should be together near the beginning of the file.
1338 */
1339 static int see_other_gids = 1;
1340 SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
1341 &see_other_gids, 0,
1342 "Unprivileged processes may see subjects/objects with different real gid");
1343
1344 /*
1345 * Determine if u1 can "see" the subject specified by u2, according to the
1346 * 'see_other_gids' policy.
1347 * Returns: 0 for permitted, ESRCH otherwise
1348 * Locks: none
1349 * References: *u1 and *u2 must not change during the call
1350 * u1 may equal u2, in which case only one reference is required
1351 */
1352 static int
1353 cr_seeothergids(struct ucred *u1, struct ucred *u2)
1354 {
1355 int i, match;
1356
1357 if (!see_other_gids) {
1358 match = 0;
1359 for (i = 0; i < u1->cr_ngroups; i++) {
1360 if (groupmember(u1->cr_groups[i], u2))
1361 match = 1;
1362 if (match)
1363 break;
1364 }
1365 if (!match) {
1366 if (suser_cred(u1, SUSER_ALLOWJAIL) != 0)
1367 return (ESRCH);
1368 }
1369 }
1370 return (0);
1371 }
1372
1373 /*-
1374 * Determine if u1 "can see" the subject specified by u2.
1375 * Returns: 0 for permitted, an errno value otherwise
1376 * Locks: none
1377 * References: *u1 and *u2 must not change during the call
1378 * u1 may equal u2, in which case only one reference is required
1379 */
1380 int
1381 cr_cansee(struct ucred *u1, struct ucred *u2)
1382 {
1383 int error;
1384
1385 if ((error = prison_check(u1, u2)))
1386 return (error);
1387 #ifdef MAC
1388 if ((error = mac_check_cred_visible(u1, u2)))
1389 return (error);
1390 #endif
1391 if ((error = cr_seeotheruids(u1, u2)))
1392 return (error);
1393 if ((error = cr_seeothergids(u1, u2)))
1394 return (error);
1395 return (0);
1396 }
1397
1398 /*-
1399 * Determine if td "can see" the subject specified by p.
1400 * Returns: 0 for permitted, an errno value otherwise
1401 * Locks: Sufficient locks to protect p->p_ucred must be held. td really
1402 * should be curthread.
1403 * References: td and p must be valid for the lifetime of the call
1404 */
1405 int
1406 p_cansee(struct thread *td, struct proc *p)
1407 {
1408
1409 /* Wrap cr_cansee() for all functionality. */
1410 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1411 PROC_LOCK_ASSERT(p, MA_OWNED);
1412 return (cr_cansee(td->td_ucred, p->p_ucred));
1413 }
1414
1415 /*
1416 * 'conservative_signals' prevents the delivery of a broad class of
1417 * signals by unprivileged processes to processes that have changed their
1418 * credentials since the last invocation of execve(). This can prevent
1419 * the leakage of cached information or retained privileges as a result
1420 * of a common class of signal-related vulnerabilities. However, this
1421 * may interfere with some applications that expect to be able to
1422 * deliver these signals to peer processes after having given up
1423 * privilege.
1424 */
1425 static int conservative_signals = 1;
1426 SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
1427 &conservative_signals, 0, "Unprivileged processes prevented from "
1428 "sending certain signals to processes whose credentials have changed");
1429 /*-
1430 * Determine whether cred may deliver the specified signal to proc.
1431 * Returns: 0 for permitted, an errno value otherwise.
1432 * Locks: A lock must be held for proc.
1433 * References: cred and proc must be valid for the lifetime of the call.
1434 */
1435 int
1436 cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
1437 {
1438 int error;
1439
1440 PROC_LOCK_ASSERT(proc, MA_OWNED);
1441 /*
1442 * Jail semantics limit the scope of signalling to proc in the
1443 * same jail as cred, if cred is in jail.
1444 */
1445 error = prison_check(cred, proc->p_ucred);
1446 if (error)
1447 return (error);
1448 #ifdef MAC
1449 if ((error = mac_check_proc_signal(cred, proc, signum)))
1450 return (error);
1451 #endif
1452 if ((error = cr_seeotheruids(cred, proc->p_ucred)))
1453 return (error);
1454 if ((error = cr_seeothergids(cred, proc->p_ucred)))
1455 return (error);
1456
1457 /*
1458 * UNIX signal semantics depend on the status of the P_SUGID
1459 * bit on the target process. If the bit is set, then additional
1460 * restrictions are placed on the set of available signals.
1461 */
1462 if (conservative_signals && (proc->p_flag & P_SUGID)) {
1463 switch (signum) {
1464 case 0:
1465 case SIGKILL:
1466 case SIGINT:
1467 case SIGTERM:
1468 case SIGALRM:
1469 case SIGSTOP:
1470 case SIGTTIN:
1471 case SIGTTOU:
1472 case SIGTSTP:
1473 case SIGHUP:
1474 case SIGUSR1:
1475 case SIGUSR2:
1476 /*
1477 * Generally, permit job and terminal control
1478 * signals.
1479 */
1480 break;
1481 default:
1482 /* Not permitted without privilege. */
1483 error = suser_cred(cred, SUSER_ALLOWJAIL);
1484 if (error)
1485 return (error);
1486 }
1487 }
1488
1489 /*
1490 * Generally, the target credential's ruid or svuid must match the
1491 * subject credential's ruid or euid.
1492 */
1493 if (cred->cr_ruid != proc->p_ucred->cr_ruid &&
1494 cred->cr_ruid != proc->p_ucred->cr_svuid &&
1495 cred->cr_uid != proc->p_ucred->cr_ruid &&
1496 cred->cr_uid != proc->p_ucred->cr_svuid) {
1497 /* Not permitted without privilege. */
1498 error = suser_cred(cred, SUSER_ALLOWJAIL);
1499 if (error)
1500 return (error);
1501 }
1502
1503 return (0);
1504 }
1505
1506
1507 /*-
1508 * Determine whether td may deliver the specified signal to p.
1509 * Returns: 0 for permitted, an errno value otherwise
1510 * Locks: Sufficient locks to protect various components of td and p
1511 * must be held. td must be curthread, and a lock must be
1512 * held for p.
1513 * References: td and p must be valid for the lifetime of the call
1514 */
1515 int
1516 p_cansignal(struct thread *td, struct proc *p, int signum)
1517 {
1518
1519 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1520 PROC_LOCK_ASSERT(p, MA_OWNED);
1521 if (td->td_proc == p)
1522 return (0);
1523
1524 /*
1525 * UNIX signalling semantics require that processes in the same
1526 * session always be able to deliver SIGCONT to one another,
1527 * overriding the remaining protections.
1528 */
1529 /* XXX: This will require an additional lock of some sort. */
1530 if (signum == SIGCONT && td->td_proc->p_session == p->p_session)
1531 return (0);
1532
1533 return (cr_cansignal(td->td_ucred, p, signum));
1534 }
1535
1536 /*-
1537 * Determine whether td may reschedule p.
1538 * Returns: 0 for permitted, an errno value otherwise
1539 * Locks: Sufficient locks to protect various components of td and p
1540 * must be held. td must be curthread, and a lock must
1541 * be held for p.
1542 * References: td and p must be valid for the lifetime of the call
1543 */
1544 int
1545 p_cansched(struct thread *td, struct proc *p)
1546 {
1547 int error;
1548
1549 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1550 PROC_LOCK_ASSERT(p, MA_OWNED);
1551 if (td->td_proc == p)
1552 return (0);
1553 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1554 return (error);
1555 #ifdef MAC
1556 if ((error = mac_check_proc_sched(td->td_ucred, p)))
1557 return (error);
1558 #endif
1559 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1560 return (error);
1561 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1562 return (error);
1563 if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
1564 return (0);
1565 if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
1566 return (0);
1567 if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0)
1568 return (0);
1569
1570 #ifdef CAPABILITIES
1571 if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL))
1572 return (0);
1573 #endif
1574
1575 return (EPERM);
1576 }
1577
1578 /*
1579 * The 'unprivileged_proc_debug' flag may be used to disable a variety of
1580 * unprivileged inter-process debugging services, including some procfs
1581 * functionality, ptrace(), and ktrace(). In the past, inter-process
1582 * debugging has been involved in a variety of security problems, and sites
1583 * not requiring the service might choose to disable it when hardening
1584 * systems.
1585 *
1586 * XXX: Should modifying and reading this variable require locking?
1587 * XXX: data declarations should be together near the beginning of the file.
1588 */
1589 static int unprivileged_proc_debug = 1;
1590 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
1591 &unprivileged_proc_debug, 0,
1592 "Unprivileged processes may use process debugging facilities");
1593
1594 /*-
1595 * Determine whether td may debug p.
1596 * Returns: 0 for permitted, an errno value otherwise
1597 * Locks: Sufficient locks to protect various components of td and p
1598 * must be held. td must be curthread, and a lock must
1599 * be held for p.
1600 * References: td and p must be valid for the lifetime of the call
1601 */
1602 int
1603 p_candebug(struct thread *td, struct proc *p)
1604 {
1605 int credentialchanged, error, grpsubset, i, uidsubset;
1606
1607 KASSERT(td == curthread, ("%s: td not curthread", __func__));
1608 PROC_LOCK_ASSERT(p, MA_OWNED);
1609 if (!unprivileged_proc_debug) {
1610 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1611 if (error)
1612 return (error);
1613 }
1614 if (td->td_proc == p)
1615 return (0);
1616 if ((error = prison_check(td->td_ucred, p->p_ucred)))
1617 return (error);
1618 #ifdef MAC
1619 if ((error = mac_check_proc_debug(td->td_ucred, p)))
1620 return (error);
1621 #endif
1622 if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
1623 return (error);
1624 if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
1625 return (error);
1626
1627 /*
1628 * Is p's group set a subset of td's effective group set? This
1629 * includes p's egid, group access list, rgid, and svgid.
1630 */
1631 grpsubset = 1;
1632 for (i = 0; i < p->p_ucred->cr_ngroups; i++) {
1633 if (!groupmember(p->p_ucred->cr_groups[i], td->td_ucred)) {
1634 grpsubset = 0;
1635 break;
1636 }
1637 }
1638 grpsubset = grpsubset &&
1639 groupmember(p->p_ucred->cr_rgid, td->td_ucred) &&
1640 groupmember(p->p_ucred->cr_svgid, td->td_ucred);
1641
1642 /*
1643 * Are the uids present in p's credential equal to td's
1644 * effective uid? This includes p's euid, svuid, and ruid.
1645 */
1646 uidsubset = (td->td_ucred->cr_uid == p->p_ucred->cr_uid &&
1647 td->td_ucred->cr_uid == p->p_ucred->cr_svuid &&
1648 td->td_ucred->cr_uid == p->p_ucred->cr_ruid);
1649
1650 /*
1651 * Has the credential of the process changed since the last exec()?
1652 */
1653 credentialchanged = (p->p_flag & P_SUGID);
1654
1655 /*
1656 * If p's gids aren't a subset, or the uids aren't a subset,
1657 * or the credential has changed, require appropriate privilege
1658 * for td to debug p. For POSIX.1e capabilities, this will
1659 * require CAP_SYS_PTRACE.
1660 */
1661 if (!grpsubset || !uidsubset || credentialchanged) {
1662 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1663 if (error)
1664 return (error);
1665 }
1666
1667 /* Can't trace init when securelevel > 0. */
1668 if (p == initproc) {
1669 error = securelevel_gt(td->td_ucred, 0);
1670 if (error)
1671 return (error);
1672 }
1673
1674 /*
1675 * Can't trace a process that's currently exec'ing.
1676 * XXX: Note, this is not a security policy decision, it's a
1677 * basic correctness/functionality decision. Therefore, this check
1678 * should be moved to the caller's of p_candebug().
1679 */
1680 if ((p->p_flag & P_INEXEC) != 0)
1681 return (EAGAIN);
1682
1683 return (0);
1684 }
1685
1686 /*-
1687 * Determine whether the subject represented by cred can "see" a socket.
1688 * Returns: 0 for permitted, ENOENT otherwise.
1689 */
1690 int
1691 cr_canseesocket(struct ucred *cred, struct socket *so)
1692 {
1693 int error;
1694
1695 error = prison_check(cred, so->so_cred);
1696 if (error)
1697 return (ENOENT);
1698 #ifdef MAC
1699 SOCK_LOCK(so);
1700 error = mac_check_socket_visible(cred, so);
1701 SOCK_UNLOCK(so);
1702 if (error)
1703 return (error);
1704 #endif
1705 if (cr_seeotheruids(cred, so->so_cred))
1706 return (ENOENT);
1707 if (cr_seeothergids(cred, so->so_cred))
1708 return (ENOENT);
1709
1710 return (0);
1711 }
1712
1713 /*
1714 * Allocate a zeroed cred structure.
1715 * MPSAFE
1716 */
1717 struct ucred *
1718 crget(void)
1719 {
1720 register struct ucred *cr;
1721
1722 MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
1723 cr->cr_ref = 1;
1724 cr->cr_mtxp = mtx_pool_find(mtxpool_sleep, cr);
1725 #ifdef MAC
1726 mac_init_cred(cr);
1727 #endif
1728 return (cr);
1729 }
1730
1731 /*
1732 * Claim another reference to a ucred structure.
1733 * MPSAFE
1734 */
1735 struct ucred *
1736 crhold(struct ucred *cr)
1737 {
1738
1739 mtx_lock(cr->cr_mtxp);
1740 cr->cr_ref++;
1741 mtx_unlock(cr->cr_mtxp);
1742 return (cr);
1743 }
1744
1745 /*
1746 * Free a cred structure.
1747 * Throws away space when ref count gets to 0.
1748 * MPSAFE
1749 */
1750 void
1751 crfree(struct ucred *cr)
1752 {
1753 struct mtx *mtxp = cr->cr_mtxp;
1754
1755 mtx_lock(mtxp);
1756 KASSERT(cr->cr_ref > 0, ("bad ucred refcount: %d", cr->cr_ref));
1757 if (--cr->cr_ref == 0) {
1758 mtx_unlock(mtxp);
1759 /*
1760 * Some callers of crget(), such as nfs_statfs(),
1761 * allocate a temporary credential, but don't
1762 * allocate a uidinfo structure.
1763 */
1764 if (cr->cr_uidinfo != NULL)
1765 uifree(cr->cr_uidinfo);
1766 if (cr->cr_ruidinfo != NULL)
1767 uifree(cr->cr_ruidinfo);
1768 /*
1769 * Free a prison, if any.
1770 */
1771 if (jailed(cr))
1772 prison_free(cr->cr_prison);
1773 #ifdef MAC
1774 mac_destroy_cred(cr);
1775 #endif
1776 FREE(cr, M_CRED);
1777 } else {
1778 mtx_unlock(mtxp);
1779 }
1780 }
1781
1782 /*
1783 * Check to see if this ucred is shared.
1784 * MPSAFE
1785 */
1786 int
1787 crshared(struct ucred *cr)
1788 {
1789 int shared;
1790
1791 mtx_lock(cr->cr_mtxp);
1792 shared = (cr->cr_ref > 1);
1793 mtx_unlock(cr->cr_mtxp);
1794 return (shared);
1795 }
1796
1797 /*
1798 * Copy a ucred's contents from a template. Does not block.
1799 * MPSAFE
1800 */
1801 void
1802 crcopy(struct ucred *dest, struct ucred *src)
1803 {
1804
1805 KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1806 bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1807 (unsigned)((caddr_t)&src->cr_endcopy -
1808 (caddr_t)&src->cr_startcopy));
1809 uihold(dest->cr_uidinfo);
1810 uihold(dest->cr_ruidinfo);
1811 if (jailed(dest))
1812 prison_hold(dest->cr_prison);
1813 #ifdef MAC
1814 mac_copy_cred(src, dest);
1815 #endif
1816 }
1817
1818 /*
1819 * Dup cred struct to a new held one.
1820 * MPSAFE
1821 */
1822 struct ucred *
1823 crdup(struct ucred *cr)
1824 {
1825 struct ucred *newcr;
1826
1827 newcr = crget();
1828 crcopy(newcr, cr);
1829 return (newcr);
1830 }
1831
1832 /*
1833 * Fill in a struct xucred based on a struct ucred.
1834 * MPSAFE
1835 */
1836 void
1837 cru2x(struct ucred *cr, struct xucred *xcr)
1838 {
1839
1840 bzero(xcr, sizeof(*xcr));
1841 xcr->cr_version = XUCRED_VERSION;
1842 xcr->cr_uid = cr->cr_uid;
1843 xcr->cr_ngroups = cr->cr_ngroups;
1844 bcopy(cr->cr_groups, xcr->cr_groups, sizeof(cr->cr_groups));
1845 }
1846
1847 /*
1848 * small routine to swap a thread's current ucred for the correct one
1849 * taken from the process.
1850 * MPSAFE
1851 */
1852 void
1853 cred_update_thread(struct thread *td)
1854 {
1855 struct proc *p;
1856 struct ucred *cred;
1857
1858 p = td->td_proc;
1859 cred = td->td_ucred;
1860 PROC_LOCK(p);
1861 td->td_ucred = crhold(p->p_ucred);
1862 PROC_UNLOCK(p);
1863 if (cred != NULL)
1864 crfree(cred);
1865 }
1866
1867 /*
1868 * Get login name, if available.
1869 */
1870 #ifndef _SYS_SYSPROTO_H_
1871 struct getlogin_args {
1872 char *namebuf;
1873 u_int namelen;
1874 };
1875 #endif
1876 /*
1877 * MPSAFE
1878 */
1879 /* ARGSUSED */
1880 int
1881 getlogin(struct thread *td, struct getlogin_args *uap)
1882 {
1883 int error;
1884 char login[MAXLOGNAME];
1885 struct proc *p = td->td_proc;
1886
1887 if (uap->namelen > MAXLOGNAME)
1888 uap->namelen = MAXLOGNAME;
1889 PROC_LOCK(p);
1890 SESS_LOCK(p->p_session);
1891 bcopy(p->p_session->s_login, login, uap->namelen);
1892 SESS_UNLOCK(p->p_session);
1893 PROC_UNLOCK(p);
1894 error = copyout(login, uap->namebuf, uap->namelen);
1895 return(error);
1896 }
1897
1898 /*
1899 * Set login name.
1900 */
1901 #ifndef _SYS_SYSPROTO_H_
1902 struct setlogin_args {
1903 char *namebuf;
1904 };
1905 #endif
1906 /*
1907 * MPSAFE
1908 */
1909 /* ARGSUSED */
1910 int
1911 setlogin(struct thread *td, struct setlogin_args *uap)
1912 {
1913 struct proc *p = td->td_proc;
1914 int error;
1915 char logintmp[MAXLOGNAME];
1916
1917 error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
1918 if (error)
1919 return (error);
1920 error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
1921 if (error == ENAMETOOLONG)
1922 error = EINVAL;
1923 else if (!error) {
1924 PROC_LOCK(p);
1925 SESS_LOCK(p->p_session);
1926 (void) memcpy(p->p_session->s_login, logintmp,
1927 sizeof(logintmp));
1928 SESS_UNLOCK(p->p_session);
1929 PROC_UNLOCK(p);
1930 }
1931 return (error);
1932 }
1933
1934 void
1935 setsugid(struct proc *p)
1936 {
1937
1938 PROC_LOCK_ASSERT(p, MA_OWNED);
1939 p->p_flag |= P_SUGID;
1940 if (!(p->p_pfsflags & PF_ISUGID))
1941 p->p_stops = 0;
1942 }
1943
1944 /*-
1945 * Change a process's effective uid.
1946 * Side effects: newcred->cr_uid and newcred->cr_uidinfo will be modified.
1947 * References: newcred must be an exclusive credential reference for the
1948 * duration of the call.
1949 */
1950 void
1951 change_euid(struct ucred *newcred, struct uidinfo *euip)
1952 {
1953
1954 newcred->cr_uid = euip->ui_uid;
1955 uihold(euip);
1956 uifree(newcred->cr_uidinfo);
1957 newcred->cr_uidinfo = euip;
1958 }
1959
1960 /*-
1961 * Change a process's effective gid.
1962 * Side effects: newcred->cr_gid will be modified.
1963 * References: newcred must be an exclusive credential reference for the
1964 * duration of the call.
1965 */
1966 void
1967 change_egid(struct ucred *newcred, gid_t egid)
1968 {
1969
1970 newcred->cr_groups[0] = egid;
1971 }
1972
1973 /*-
1974 * Change a process's real uid.
1975 * Side effects: newcred->cr_ruid will be updated, newcred->cr_ruidinfo
1976 * will be updated, and the old and new cr_ruidinfo proc
1977 * counts will be updated.
1978 * References: newcred must be an exclusive credential reference for the
1979 * duration of the call.
1980 */
1981 void
1982 change_ruid(struct ucred *newcred, struct uidinfo *ruip)
1983 {
1984
1985 (void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
1986 newcred->cr_ruid = ruip->ui_uid;
1987 uihold(ruip);
1988 uifree(newcred->cr_ruidinfo);
1989 newcred->cr_ruidinfo = ruip;
1990 (void)chgproccnt(newcred->cr_ruidinfo, 1, 0);
1991 }
1992
1993 /*-
1994 * Change a process's real gid.
1995 * Side effects: newcred->cr_rgid will be updated.
1996 * References: newcred must be an exclusive credential reference for the
1997 * duration of the call.
1998 */
1999 void
2000 change_rgid(struct ucred *newcred, gid_t rgid)
2001 {
2002
2003 newcred->cr_rgid = rgid;
2004 }
2005
2006 /*-
2007 * Change a process's saved uid.
2008 * Side effects: newcred->cr_svuid will be updated.
2009 * References: newcred must be an exclusive credential reference for the
2010 * duration of the call.
2011 */
2012 void
2013 change_svuid(struct ucred *newcred, uid_t svuid)
2014 {
2015
2016 newcred->cr_svuid = svuid;
2017 }
2018
2019 /*-
2020 * Change a process's saved gid.
2021 * Side effects: newcred->cr_svgid will be updated.
2022 * References: newcred must be an exclusive credential reference for the
2023 * duration of the call.
2024 */
2025 void
2026 change_svgid(struct ucred *newcred, gid_t svgid)
2027 {
2028
2029 newcred->cr_svgid = svgid;
2030 }
Cache object: 2dc5339cf4eb0054e4f4488c5bff54a4
|